From mboxrd@z Thu Jan 1 00:00:00 1970 From: Chris Marusich Subject: Re: certbot service experience Date: Sat, 29 Apr 2017 19:15:49 -0700 Message-ID: <87mvayhc8a.fsf@gmail.com> References: <87tw56dhlp.fsf@dustycloud.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:53438) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1d4eP4-0003ol-2V for guix-devel@gnu.org; Sat, 29 Apr 2017 22:16:03 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1d4eOz-00022A-1m for guix-devel@gnu.org; Sat, 29 Apr 2017 22:16:02 -0400 Received: from mail-pf0-x243.google.com ([2607:f8b0:400e:c00::243]:36005) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1d4eOy-00020M-RT for guix-devel@gnu.org; Sat, 29 Apr 2017 22:15:56 -0400 Received: by mail-pf0-x243.google.com with SMTP id v14so23191613pfd.3 for ; Sat, 29 Apr 2017 19:15:56 -0700 (PDT) In-Reply-To: <87tw56dhlp.fsf@dustycloud.org> (Christopher Allan Webber's message of "Sat, 29 Apr 2017 16:33:22 -0500") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Christopher Allan Webber Cc: Guix-devel , 26685@debbugs.gnu.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Christopher Allan Webber writes: > - I was surprised that I was prompted for an email while doing guix > system reconfigure That does seem odd. Why were you prompted for an email address? Can that be fixed somehow? > 2) Enable the certbot-service-type (and mcron-service-type if you > haven't already): > > (service certbot-service-type > (certbot-configuration > ;; Replace these with your own domain and web root > (hosts '("test.activitypub.rocks")) > (webroot "/srv/activitypub.rocks/site/"))) > ;; if you don't have an mcron service already > (service mcron-service-type) Where is the certbot-service-type defined? I couldn't find it in the master branch. Also, why is mcron required? I don't know much about LetsEncrypt, but I thought certbot was a one-time thing that you do manually... Why is it a "service" here? > 3) Okay hopefully that went successfully! It should say. Assuming it > did, *now* we can add the keys appropriately to the nginx config. > > (service nginx-service-type > (nginx-configuration > (server-blocks > (list > (nginx-server-configuration > ;; Again, adjust to your site > (server-name '("test.activitypub.rocks")) > (root "/srv/activitypub.rocks/site/") > (ssl-certificate > "/etc/letsencrypt/live/test.activitypub.rocks/fullch= ain.pem") > (ssl-certificate-key > "/etc/letsencrypt/live/test.activitypub.rocks/privke= y.pem")))))) > > Reconfigure and cross your fingers! > > 4) At this point I was surprised that it seemed like nginx should have > been working with https since everything was in place, but I > couldn't access it from my browser over https. Frustrated, I > restarted the server. > > And then it worked! :) > > So, this involved reconfiguring, reconfiguring, reconfiguring, and then > a restart, then it worked for me. (Well, plus a few reconfigures where > nothing worked at all because I broke things of course. ;)) I wonder if > that can be improved? I wonder if it is possible to define a custom service which orchestrates the execution of nginx and certbot in the way you require, so that you can define it all in one place, at once, without needing to reconfigure multiple times? > That said, it's still really exciting to be able to describe these > things declaratively, and to have Guix take care of keeping things > renewed for me. :) Excited to have this landing, and to be that much > closer to doing server deployment with GuixSD! Pretty cool! Thanks for sharing your experience. It's always neat to read about how people are using the system. =2D-=20 Chris --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAlkFSNYACgkQ3UCaFdgi Rp1yfg//WB7x80tP/olsgZ9E3j7eOyz/EV8n/+JxgKCFx8KdUAZU3+xm4+d1Lu4l wYun6ZGbz5PZ9WEt1LaEWy7S1eCgcf6GoKJQKEIqoWs+wP3Z37rG/7IBnLhYKyn3 Mh3R4bGovDPE9NwJxnuX8h0cQppH62PdOzjTgTcWYlW3ilmraq4eP2Fmcsw9K8IT uP3SKtfyG1Kaoi7CrGuOMJT8T/OxzbjkGYnZ5rga1cAin+2ZrIVmGCqk3LaANSkH dDCvAsShllWNyWnwt0jbrTXGMdp/Z/GpUniPtTCrudMnrT/zoWfEhIWu2ukAnBfp 7lyS9gal62B66eV639Rv6UhONWQRhQwBjv+M6hoKCOYOYw67VH3lYRUA/i3TfdYH 6LriAU3BxmCKxo7eGdL/vh5K1y0eMAIB4Z+49P9CuSdds94z7lC4gEJ/rZy5PIX+ 4XMGYfeX5VaBAxV8D+d1w4VBllP4dvjuvZBMsFamgAqE26KwKV7ClWq77oqmRuU4 biEumlOoqgiwksWQVpHwN5VzKDsy2vfWU6oHiPczq3Ffou8p0xXWQ8wFSqMhFmCF HnX5FSAMtM4NZtgAQtBaffUo9SD7hBrmc2uqqYnu4R1wiGxk8zbiFG7bD0UoEk3j w/kYVTdT7pIej6c/LofM6PTwMdNIM+ZqFT3wBzES9A3aHevLzHI= =n216 -----END PGP SIGNATURE----- --=-=-=--